We’ve been noticing over the past few months that some of our clients had their sites compromised and were later used to send out spam or distribute malicious content to sites visitors through password leaks.

There appears to be no pattern connecting the compromise to each others, except all of them indicate the hacker had gained accessed to the sites through FTP access. The hackers used the account holder username/password to login to the site and manually or through an automated script upload/replace site files.

Our investigation have revealed that these hacks are not limited to a certain OS, Control Panel or Server. They would occur to some of our direct clients and at some instances to clients of our orresellers.

Further investigation confirmed there were no server-wide compromise. There is no indication of root compromise, file integrities are intact and no rouge users or scripts were found on the physical servers.

After carefully analyzing the logs for few weeks, and running traces on the hackers, we’re confident that these attacks were only successful through a user/password compromise of the hacked site.

It appears the hackers are using a KeyLogger malware to sniff user/pass information on clients local stations. Then use these information to login to the victim site through FTP to upload their malicious content. Once the password of the account is changed on our end, the hack stops.

We would highly recommend to all of our clients to check if their workstations are compromised even if they’re running an Anti-Virus software. We also ask that you ensure your password is not shared over the public Internet such as Messengers, Emails. Additionally, please verify your password meets the complexity rules stated in section (8) of this email.

The hackers can upload keyloggers and data sniffers to your local workstations through many methods including a security weakness in a software you run on your system such as Internet Explorer, FireFox, Windows Media Player, QuickTime Player, Outlook, Office, Password guessing or Password dictionary attack. To help you protect yourself from such attacks, we’ve prepared few recommendations to keep your computer system secure:

1) Never share your password with any parties, and always create different passwords for different sites

2) Be extremely careful when working on a remote system or a system that is shared with others. We don’t recommend that you use a shared system to login to sensitive websites. There is a chance that a shared system may contains a password hijacker program, or be on a rogue network.

3) If you share your password with 3rd parties, please ask them to follow these steps as well.

4) Before changing your passwords, please ensure your system is clean of viruses. There is no point of changing passwords if the system you’re working on is already compromised. These are few suggestion on how to scan your system for viruses on the Microsoft Platform:

If you’re not currently using an Anti-Virus and Anti-Spyware, we would urge you to purchase one soon. In the mean time, you can try these free real-time scanning alternatives: http://free.avg.com/ or http://www.avira.com

We also strongly encourage you to check and install the latest Windows Security Updates from Microsoft: http://windowsupdate.microsoft.com/. Additionally, you can use the following tools to check for any out-of-date applications installed on your system:

6) Even if you run an up-to-date virus scanner, we do urge you to run multiple scans using the instructions above. Sometime real-time scanning is unable to catch viruses spread through a web browser, or its signature database may not be up to date.

7) Once you’ve confirmed your local machine is safe, check for other machines within your local network to ensure no infection spreads from one machine to another using USB keys, network file sharing.

8 ) Ensure your password is complex enough. The ideal password will be at least 8 characters long, contains both Upper and Lower case characters, a number and a special character.

If you’re using the default password which was sent to you when your hosting account was created, please change it immediately. The Control Panel interface offers a handy password generation utility.

9) It is always preferred that you use secure connections when transmitting password information online. This includes not logging to any systems or sites that do not support encryption. Our servers will allow you to connect securely for FTP, cPanel, SMTP, POP3 access, as follow:

– We support Auth TLS FTP connections
– You can login securely to your cPanel interface through https://enterYourSiteName.com/cpanel/ , you may be presented with a security certificate warning, please accept it to continue.
– You can access secure SMTP on the same port as your regular SMTP connection (Port 25 or 26)
– You can access secure POP3 on Port 995 which is set by default in Outlook when checking “This server require secure connection (SSL)”

Please note, using SSL connections will result in slower speed and may cause timeouts. Using SSL will also display a warning advising you to accept the server certificate. This is an inherent limitation of shared SSL certificates.

We hope these information will be of great value and help you maintain a safe and secure online presence.